论文信息 - Security Evaluation of J2ME CLDC Embedded Java Platform

Security Evaluation of J2ME CLDC Embedded Java Platform

Java 2 Micro-Edition Connected Limited Device Configuration (J2ME CLDC) is the platform of choice when it comes to running mobile applications on resourceconstrained devices (cell phones, set-top boxes, etc.). The large deployment of this platform makes it a target for security attacks. The intent of this paper is twofold: First, we study and evaluate the security model of J2ME CLDC. Second, we provide a vulnerability analysis of this Java platform. The evaluated components are: Virtual machine, CLDC API and MIDP (Mobile Information Device Profile) API. The analysis covers the specifications, the reference implementation (RI) as well as several other widely-deployed implementations of this platform. The aspects targeted by this security analysis encompass: Networking, record management system, virtual machine, multi-threading and digital rights management. This work identifies security weaknesses in J2ME CLDC that may represent sources of security exploits. Moreover, the results reported in this paper are valuable for any attempt to test or harden the security of this platform.

Mourad Debbabi | Mohamed Saleh | Chamseddine Talhi | Sami Zhioua

[1] Jyri Huopaniemi,et al. Programming wireless devices with the Java 2 platform, micro edition : J2ME, connected limited device configration (CLDC) 1.1, mobile information device profile (MIDP) 2.0 , 2001 .

[2] Frank Yellin,et al. The Java Virtual Machine Specification , 1996 .

[3] Sheng Liang,et al. Java Native Interface: Programmer's Guide and Specification , 1999 .

[4] James Gosling. The Java Language Specification - Second Edition , 2000 .

[5] Ian Goldberg,et al. Randomness and the Netscape browser , 1996 .

[6] Ayman I. Kayssi,et al. J2ME application-layer end-to-end security for m-commerce , 2004, J. Netw. Comput. Appl..

[7] Guy L. Steele,et al. Java Language Specification, Second Edition: The Java Series , 2000 .

[8] Vipul Gupta,et al. KSSL: experiments in wireless internet security , 2001 .

[9] Bruce Schneier,et al. Ten Risks of PKI , 2004 .

[10] Cédric Fournet,et al. Stack inspection: Theory and variants , 2003, TOPL.

[11] Last. Java and Java Virtual Machine security vulnerabilities and their exploitation techniques , 2002 .

[12] Lawrence C. Stewart,et al. HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[13] Teemupekka Virtanen,et al. MIDP 2.0 security enhancements , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.